If a persona.org account is initially created with a "primary"
address (meaning an address served by a participating IdP, so
persona.org is given an assertion from that IdP as proof of ownership),
the new account will not have a password associated with it. If you then
add a "secondary" address (meaning an address *not* served by a
participating IdP, requiring an email challenge to prove ownership), you
will have to set up a password when you add the secondary. The
establishment of this password should *not* invalidate any sessions that
were set up earlier.

In Bug #2307, this manifested as the first browser (in which the
add-secondary-email operation was started, so it had the old session and
was waiting for the operation to complete, polling
/wsapi/email_addition_status all the while) receiving a "400
Unauthorized" error when the email challenge link was opened in a second
browser (which thus got a new session).

The test for this effect lives in tests/primary-then-secondary-test.js,
which need the same 2-second delay as password-update-test.js (to make
sure that the modified lastPasswordReset time was actually different
than the previous value, so the session really would be expired).

Since MySQL TIMESTAMP is quantized to whole seconds, also change tests
to add a 2s stall before changing the password, to make sure
lastPasswordReset gets a new value.

All wsapi operations now require the database (to update+check the
superSessionToken), so some tests that previously expected operations to
succeed without a database now expect them to fail (generally 503).

wsapi_client.js was changed to pass HTTP errors during
/wsapi/session_context back to the caller, so their response code can be
checked, rather than throwing an error (and preventing any other
assertions from being made).

This makes it possible to test two distinct sessions at the same time,
needed to exercise expiring one session when the password is changed in
a second session.

* Change the last bcrypt.get_rounds to bcrypt.getRounds.
* Remove the bcrypt require from tests where it is not needed.
* Remove exports.get_rounds from bcrypt.js, it has been deprecated.

git-subtree-dir: automation-tests/browserid
git-subtree-split: f4063ba738486918a9a2fedea3545f37f949e3d6

* Remove the signup page and all remnants of it.

Ensure that when a user verifies in a different browser than what they reset their password with, they must authenticate to complete the verification

add access-control-allow-origin to all static resources (excluding views), to allow fonts to be requested cross domain.  fixes a regression introduced during the merge of router, for issue #1973

Allow assertions issued by person to be used to authenticate.  This makes it possible for "proxy idps" to work without the implementation details leaking out into others verifier implementations.

add test coverage of origins that start with digits, and relax validation regex a bit - closes #2042

extensive testing of i18n mechanism - including english fallback, string substition from .json files, and debug locale

perform rigorous validation on all API parameters, cleanup redundancy in sanitize.js and validate.js - issue #1526

Signed-off-by: Lloyd Hilaiel <lloyd@hilaiel.com>

rename the 'add email' email we send out to 'confirm', and use it in both the email addition case, and the email reverification case.  This is more about semantics than behavior change

fix issue GH-1958; add '/production/authenticate_with_primary.js' to items to exclude and reformat the single line array

add tests of email_for_token in the context of password reset, remove old transitional code, fix exception in complete_reset api that was preventing authentication of user.